Events

Stories

CVE-2012-4025

842460:
CVE-2012-4025 squashfs-tools: integer overflow in queue_init() may lead to abitrary code execution

The MITRE CVE dictionary describes this issue as:

Integer overflow in the queue_init function in unsquashfs.c in unsquashfs in Squashfs 4.2 and earlier allows remote attackers to execute arbitrary code via a crafted block_log field in the superblock of a .sqsh file, leading to a heap-based buffer overflow.

Statement

The Red Hat Security Response Team has rated this issue as having moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

This issue did not affect the versions of squashfs-tools as shipped with Red Hat Enterprise Linux 5 as they did not include support for parallel processing and do not make use of queues.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.